Improved Security for OCB3

OCB3 is the current version of the OCB authenticated encryption mode which is selected for the third round in CAESAR. So far the integrity analysis has been limited to an adversary making a single forging attempt. A simple extension for the best known bound establishes integrity security as long as the total number of query blocks (including encryptions and forging attempts) does not exceed the birthday-bound. In this paper we show an improved bound for integrity of OCB3 in terms of the number of blocks in the forging attempt. In particular we show that when the number of encryption query blocks is not more than birthday-bound (an assumption without which the privacy guarantee of OCB3 disappears), even an adversary making forging attempts with the number of blocks in the order of \(2^n/\ell _{\text {MAX}}\) (n being the block-size and \(\ell _{\text {MAX}}\) being the length of the longest block) may fail to break the integrity of OCB3.

[1]  D. Whiting IEEE P802.11 Wireless LANs, AES Encryption & Authentication Using CTR Mode & CBC-MAC , 2000 .

[2]  Krzysztof Pietrzak,et al.  The Exact Security of PMAC , 2016, IACR Trans. Symmetric Cryptol..

[3]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[4]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[5]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[6]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[7]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[8]  Nilanjan Datta,et al.  ELmE: A Misuse Resistant Parallel Authenticated Encryption , 2014, ACISP.

[9]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[10]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[11]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[12]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[13]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[14]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[15]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.